open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/okr/SECURITY.md
Kjell Tore Guttormsen 5078712f0e feat: add okr plugin v1.0.0 — OKR guidance for Norwegian public sector 
Expert OKR guidance based on Google/Doerr methodology, adapted for
4-month tertial cycles and Norwegian government accountability.

Components:
- 8 commands (skriv, kvalitet, kaskade, sporing, møter, innføring, governance, oppsett)
- 5 agents (kvalitetssjekker, kaskadebygger, fremdriftssporer, møtefasilitator, styringsrådgiver)
- 3 hooks (UserPromptSubmit context injection, PreCompact state preservation, Stop reminder)
- 15 reference files covering methodology, governance, meetings, antipatterns
- Linear MCP integration for OKR tracking

Previously in ktg-privat, now open-sourced.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 13:32:45 +02:00

1.6 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
>= 1.0.0

Reporting a Vulnerability

If you discover a security vulnerability, please:

  1. Do not open a public issue
  2. Email the maintainer directly or use GitHub's private vulnerability reporting
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

What to Expect

  • Acknowledgment within 48 hours
  • Status update within 7 days
  • Fix timeline depends on severity

Security Considerations

This plugin handles OKR data which may contain sensitive organizational information:

Data Handling

  • All processing happens locally in Claude Code
  • No data is transmitted to external services (except configured integrations)
  • Linear integration uses your own API credentials

Sensitive Files

The following files contain sensitive data and are gitignored:

File Contents
.claude/okr.local.md Linear API configuration, team settings
.mcp.json MCP server credentials

Best Practices

  • Never commit okr.local.md to version control
  • Use environment variables for API keys when possible
  • Review OKR content before sharing externally
  • Consider data classification when tracking sensitive objectives

Linear Integration Security

If using Linear integration:

  • API keys are stored locally in okr.local.md
  • Use team-scoped API keys, not personal tokens
  • Rotate keys periodically
  • Review Linear's security documentation